From 9a425c5838377b04fd31772f23a5b0010c9397c2 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Thu, 4 Nov 2021 15:32:28 -0700 Subject: [PATCH 1/2] Give better error when using default service acct If consul login fails when the service account name is `default` then give an explicit warning that the reason it failed is because in default installations that is not a support service account name. We can't fail during injection because we support modifying the binding rule such that `default` _is_ a valid svc account name. --- control-plane/subcommand/connect-init/command.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/control-plane/subcommand/connect-init/command.go b/control-plane/subcommand/connect-init/command.go index d8158b5f20..e7487fb9e1 100644 --- a/control-plane/subcommand/connect-init/command.go +++ b/control-plane/subcommand/connect-init/command.go @@ -138,6 +138,12 @@ func (c *Command) Run(args []string) int { return err }, backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), numLoginRetries)) if err != nil { + if c.flagServiceAccountName == "default" { + c.logger.Warn("The service account name for this Pod is \"default\"." + + " In default installations this is not a supported service account name." + + " The service account name must match the name of the Kubernetes Service" + + " or the consul.hashicorp.com/connect-service annotation.") + } c.logger.Error("Hit maximum retries for consul login", "error", err) return 1 } From b71595f21f097002734fe30b790733a768c1ba89 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Fri, 5 Nov 2021 09:53:30 -0700 Subject: [PATCH 2/2] Add changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0637ab958..0506a8a8f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ IMPROVEMENTS: * Control Plane * TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [[GH-843](https://github.com/hashicorp/consul-k8s/pull/843)] + * Connect: Log a warning when ACLs are enabled and the default service account is used. [[GH-842](https://github.com/hashicorp/consul-k8s/pull/842)] * CLI * Delete jobs, cluster roles, and cluster role bindings on `uninstall`. [[GH-820](https://github.com/hashicorp/consul-k8s/pull/820)]